[CALUG] PAM_LDAP verbose logging?

[John Ferrell]

I am trying to configure my linux box to authenticate
users using LDAP.  More specifically, I only want to
verify the user's password using LDAP, the accounts
are local.  As far as I can tell then system is
performing the LDAP bind during the login process;
using tcpflow I can see the LDAP information passed to
the server.  Unfortunately, I cannot tell what is
really going on.  Even though I have 'debug' option
enabled in the pam config file, the logs do not show
any pam_ldap activity.

Below is a snippet from the sshd pam config with LDAP:
#LDAP
auth       sufficient   pam_ldap.so use_first_pass
debug
auth       required     pam_stack.so
service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so
service=system-auth
...

Originally, I was getting a bind error in my
/var/log/messages.  After fixing ldap.conf and
verifing the settings using ldapsearch, I no longer
see the error.  However, I don't see an specific
pam_ldap errors in any of my logs now.

I have done some searching and found a few news group
postings with some sample logs.  It looks like there
is a way to enable more verbose logging:

Dec  8 10:04:43 linux29 login[2063]: pam_ldap: error
trying to bind as user "cn=Linux29,ou=SER,ou=KLK,o=EK"
(Invalid credentials)

There is a debug option in ldap.conf, but that just
created a log file with output similar to running
ldapsearch with the debugging option.

My main box is Red Hat AS 4, but I have tried this on
Ubuntu and SuSE boxes as well, with the same results. 


Hopefully someone can point me to the debugging option
so that my logs are a bit more helpful in
troubleshooting this issue.  

thanks,
John